Overview

The VCF Async Patch tool can be used to patch individual BOM products on vSAN Ready Nodes and VxRail environments. The BOM products that can be individually async patched include:

VCF on vSAN Ready Nodes: VC, NSX, ESXi

VCF on VxRail: VC, NSX, ESXi/VxRail composite bundle

The Async Patch Tool is supported with VMware Cloud Foundation 4.2.1 and later

Future VCF upgrade version: VCF releases that are patched with async patches of BOM products can be upgraded to future VCF releases as stated in https://kb.vmware.com/s/article/88287

Operating System: Supported with Linux (includes Cygwin support) and Windows (includes WSL support) environment 

Flowchart

Commands

Remove Older version of the tool and configure TCP keepalives

How do I remove older version of the tool?

user: vcf

Remove older version of tool

How do I configure keepalives?

User: vcf

Configure Keepalives

Download Async Patch Tool 

Offline – Needs a DMZ machine which can connect to depot.vmware.com. Use linux machine

How do I download async patch tool

How do I install the tool on the DMZ server?

OFFLINE – Install tool on DMZ machine

User: <DMZ user>

Extract Patch

Demo

List Patches – Offline mode 

How do I list patches available for async patching in the Async Patch Tool?

user: <DMZ user>

List Patches

What does it output?

The tool will list a table of async patches and their details to the console in human-readable format:

List Option

Demo

Copy Async Patch Tool to SDDC Manager- Offline Mode

user: vcf (SSH to SDDC manager FQDN)

Demo

Download async BOM patch – DMZ Offline mode

user: DMZ user

Download Patch

Demo 

Copy Patch to SDDC manager – Offline mode

user: vcf

Demo

Enable Patch – Offline mode

user: vcf

Demo

Log in to the SDDC Manager UI and apply the async patch to all workload domains.

The patches that were enabled show up in the SDDC Manager. This should be run as a regular upgrade from the SDDC Manager. 

Disable all Patches – Offline

user: vcf

Demo

Download Future Bundles for Enable Upgrade – DMZ Offline Mode

user: DMZ user

Download Future Upgrade Bundles

Demo

Standalone commands

Help

Lists the different types of options supported by the tool

${AP_TOOL_DIR}/bin/vcf-async-patch-tool -h

Inventory Sync

This operation updates the VCF inventory of NSX-T, ESXi and VC with the accurate information of the versions run by the actual products, keeping the record that the VCF instance is up-to-date. This option should be exercised by the customers when the customers have done any out of band upgrades

${AP_TOOL_DIR}/bin/vcf-async-patch-tool –performInventorySync –sddcSSOUser

${SDDC_SSO_USER} –sddcSSHUser ${SDDC_SSH_USER}

Demo

Post-check

This option can be used to verify if the patch enablement has been completed successfully or failed. It internally will ensure that all the requested patches have been uploaded to LCM and are showing as available for upgrade.

${AP_TOOL_DIR}/bin/vcf-async-patch-tool –enableAsyncPatch –postcheck –patch

${PRODUCT_TYPE}:${PRODUCT_VERSION} –sddcSSOUser ${SDDC_SSO_USER} –sddcSSHUser

${SDDC_SSH_USER} –instanceType ${INSTANCE_TYPE} [ONLINE/OFFLINE]

Additional options

–depotUser ${DEPOT_USER}: Required to be specified for online SDDC-M environments

–pdu ${PARTNER_DEPOT_USER}: Required to be specified for for online Vxrail SDDC-M environments

–outputDirectory ${OUTPUT_DIRECTORY}: Required to be specified for for offline SDDC-M environments. This should be the location of transferred artefacts from DM-Z machine to SDDC-M. This is optional arg for online SDDC-M environments

Pre-check

Validate system environment is able to perform enable patch.  

${AP_TOOL_DIR}/bin/vcf-async-patch-tool –enableAsyncPatch –precheck –patch

${PRODUCT_TYPE}:${PRODUCT_VERSION} –sddcSSOUser ${SDDC_SSO_USER} –sddcSSHUser

${SDDC_SSH_USER} –instanceType ${INSTANCE_TYPE} [ONLINE/OFFLINE]

Additional options                    

–depotUser ${DEPOT_USER}: Required to be specified for online SDDC-M environments     

–pdu ${PARTNER_DEPOT_USER}: Required to be specified for for online Vxrail SDDC-M environments    

–outputDirectory ${OUTPUT_DIRECTORY}: Required to be specified for for offline SDDC-M environments. This should be the location of transferred artefacts from DM-Z machine to SDDC-M. This is optional arg for online SDDC-M environments

–productType, –ptype <String>: Product type, ESX_HOST,NSX_T_MANAGER, VCENTER listAsyncPatch in order to filter the list by product type.   

–proxyServer, –ps <String>: Used when internet connectivity is only available through a proxy server. Provide proxy server addressand port in ‘<FQDN:port>’ format.    

To Note:

–depotPassword <String>             MyVMware login password. Should be specified in quotes if any special characters are included

–depotUser, –du <String>           MyVMware login user name. Should be  specified in quotes if any special  characters are included       

The download operation of enable patch downloads additional SDDC Hot Patch bundles. These bundles may be required to patch your SDDC to successfully apply the async patch on your environment.  

Troubleshooting

Log Location

Log for the Async patch tool is async_patch_tool.log. Tail -f to see log details. The tool prints the INFO or above level logs to the console. The tool prints the current location of the log file when the process is running, copies over the log files to /var/log/vmware/vcf/lcm/tools/asyncpatchtool directory once the tool finishes the execution to allow SoS collection

Disabling All Patches Ends Unexpectedly with Failure Waiting for LCM Service to come up

The script used to clean up bundles in the disable patch workflow intermittently gets stuck and exits out.

In this scenario, there is a chance that LCM was never restarted if the script exited unexpectedly. 

If this occurs, ensure the LCM service is up and running correctly and retry AP Tool operation

Enable Future Upgrade on VxRail fails with Exception

Make sure the partnerBundleMetadata.json and softwareCompatibilitySets.json are correctly placed in /nfs/vmware/vcf/nfs-mount/bundle/depot/local 

Make sure a permission of 755 on the above location , for the vcf_lcm user

Invalid Permissions Issue

If the output directory was copied over to the sddc VM without setting proper ownership/permissions, the tool will fail when uploading bundles with error similar to:

Unwanted bundles are enabled on environment and cleanup has to be performed

If the patches enabled using AP tool are required to be cleaned up, please login your SDDC VM as root user and run disable all patches command:
Error Message

Account locked issue

The tool uses root credentials for performing the operations such as config property update, etc as required for the operations.

If there are multiple attempts with either blank or invalid password, the user account is locked on SDDC VM. Follow the steps below to reset the number of failed logins by the root user.

Reset failed root login attempts

Invalid Permissions Issue

To fix the error, ensure that the output directory has proper vcf:vcf 755 permissions:

Links

Documentation: https://docs.vmware.com/en/VMware-Cloud-Foundation/services/ap-tool/GUID-49818DF1-94EA-4C85-8CB6-6EFFCE5F8060.html

Patch Support : https://kb.vmware.com/s/article/88287

The post VMware Cloud Foundation 4.x – Async Patching of NSX, VC, ESXi – Offline/air-gapped customers appeared first on VMware Cloud Foundation (VCF) Blog.